Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries.  Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration.  [SP 800-28] provides guidance on configuration change control. 

Priority: High   

Category: Change Management 

Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), AWS Security Groups, AWS CloudTrail
  • AWS IAM, AWS Systems Manager, AWS CloudFormation
  • AWS IAM, AWS Organizations, AWS Systems Manager
  • AWS IAM, AWS Organizations, AWS Security Groups, AWS Systems Manager 

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how logical and physical Role Based Access Control (RBAC) is
  • properly & securely implemented
  • Administrative: supporting documentation to demonstrate how change management is implemented
  • Technical: screen shot of groups and membership assignment
  • Technical: screen shot of Configuration Management Database (CMDB) console 

Possible Technology Considerations : 

  • Change Control Solution
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Physical Access Control (PAC) 

What needs to be answered :  

Are only employees who are approved to make physical or logical changes on systems allowed to do so and documented? All change documentation should include the name of the authorized employee making the changes. 

  • Define Physical and Logical Access Restrictions for System Changes
    Description: This check ensures that organizations define both physical and logical access restrictions associated with changes to their organizational systems. Physical access restrictions include measures such as physical barriers, access controls, and surveillance systems to prevent unauthorized physical access to systems during change activities. Logical access restrictions include authentication, authorization, and other security measures to control and restrict logical access to systems for making changes.
  • Document Access Restrictions for System Changes
    Description: This check verifies that organizations document the access restrictions associated with changes to their systems. Documentation should clearly outline the physical and logical access controls in place, including the roles and responsibilities of individuals involved in the change process, the procedures for requesting and approving changes, and any necessary permissions or privileges required to perform system changes. Proper documentation ensures transparency and accountability in managing access during system changes.
  • Approve Access Restrictions for System Changes
    Description: This check ensures that access restrictions for system changes go through an approval process. The approval process involves appropriate stakeholders, such as system owners, security officers, and change control boards, who review and approve access requests based on defined criteria. Approval of access restrictions helps maintain control over the change process and ensures that only authorized individuals are granted access to make changes.
  • Enforce Access Restrictions for System Changes
    Description: This check emphasizes the enforcement of access restrictions during system changes. Organizations should implement technical controls and security measures, such as role-based access controls, multi-factor authentication, and least privilege principles, to enforce the defined access restrictions. Enforcing access restrictions helps prevent unauthorized access and reduces the risk of unauthorized or malicious changes to organizational systems.

More Details:   

Changes to information systems documented, reviewed, and approved by IT administrators prior to implementation.